Cascading Style Sheets (CSS) provide a simple mechanism for adding style (e.g., fonts, colors, and spacing) to web documents. CSS's standard, entitled “Cascading Style Sheets Level 2 Revision 1 (CSS 2.1) Specification, W3C Candidate Recommendation 19 Jul. 2007”, contains definitions for pseudo-class styles or selectors that apply to elements when the elements are in a particular state or condition. For example, the pseudo-class “:link” applies to links that have not been visited and the pseudo-class “:visited” applies to links that have been visited.
So, for example, the pseudo-class “:link” can be used to add style to a link that has not been visited such as by coloring the link or changing the link's font in a particular way. The pseudo-class “:visited” can be used to add style to a link that has been visited, such as by coloring the link or changing the link's font in a particular way. The “:visited” pseudo-class draws upon historical information about a user's past browsing activities in order to enable styles to be added to a particular link.
One of the problems associated with pseudo-classes and in particular, those mentioned above, pertains to user information (referred to herein as “personally identifiable information”) that can be collected regarding operations surrounding use of the pseudo-classes. A user's past browsing activities constitutes one type of personally identifiable information. Because this collected information is personal in nature, it can form the basis for some type of attack aimed at a particular user. For example, collected information about which sites a user has visited might be used to deliver a user experience which is specifically targeted to the user's browsing history. This, in turn, can increase the potential that the user will respond to the attack in a way that the attacker desires.
Personally identifiable information can be gathered in a number of ways. The information might be gleaned by script which is designed to read information about applied styles off of an element in question. For example, script might attempt to read formatting information that describes whether a user has visited a particular site or has taken a particular type of action. Alternately or additionally, personally identifiable information might be inferred by examining HTTP traffic related to style processing that results in image requests made to a remote source. That is, by clicking on a particular link, a user's web browser might responsively generate an HTTP request for a remotely located image. When a server receives the HTTP request, it can infer from the request that the user has visited a particular link. Alternately or additionally, personally identifiable information might be gathered by ascertaining whether complex formatting has taken place that affects the layout of surrounding elements within a page. That is, a user may take some action that causes surrounding structure of a web page to be modified in some way. Based on the structural modification, one can infer that a user has taken the action, such as clicking on a link. Further, personally identifiable information might be gathered by examining differences in code path times. For example, assume that a web browser has a particular code path that executes synchronously or even asynchronously and has a detectable end state, such as a completion callback. If a mitigation were to be added to not check a user's browsing history, then the time it takes to perform this operation would be significantly less than a path which checks the user's browsing history. By detecting the timing differences, an attacker can infer which code path was run.